I have a set of RESTful services developed using ASP.Net WebAPI which is a single project. I handle authentication via ASP.Net's built in Forms Authentication (cookie based) mechanism which is also built into the same project. The services need to be publically exposed to the internet as they will be consumed by mobile applications.

One of my team mates suggested keeping authentication separate and hosting it in the DMZ while the services project is hosted inside a firewall like so